Avast WEBforum

Other => Viruses and worms => Topic started by: hostep on December 15, 2008, 12:03:09 PM

Title: ils.dll => false positive?
Post by: hostep on December 15, 2008, 12:03:09 PM
Hi

I just got a warning from avast, it detected a rootkit in the ils.dll file in the windows\system32 folder. (Windows XP SP3)
This happened on 2 of my computers at almost the same time.
This makes me think that this is a false positive?
Title: Re: ils.dll => false positive?
Post by: YoKenny on December 15, 2008, 12:08:03 PM
Looks like a FP:
http://forum.avast.com/index.php?topic=40975.0
Title: Re: ils.dll => false positive?
Post by: Dany1789 on December 15, 2008, 12:14:51 PM
I got the same warning.
Could somebody confirms this is an FP or not?

Thx.
Title: Re: ils.dll => false positive?
Post by: YoKenny on December 15, 2008, 12:18:58 PM
I got the same warning.
Could somebody confirms this is an FP or not?

Thx.

I just received a VPS database update and scanned ils.dll and did not get an alert.
Title: Re: ils.dll => false positive?
Post by: Ikenag4 on December 15, 2008, 12:21:45 PM
today dec. 15th, I've received a warning from AVAST about the c:\windows\system32\ils.dll. here 2 computers using XP got this warning..

I guess a false positive warning...

I suggest you guys send a mail to avast tem, they can give us an answer...
Title: Re: ils.dll => false positive?
Post by: sadiem on December 15, 2008, 12:23:48 PM
Yup, same warning here.  Think I'll cancel the full scan running on that system and get to work, and hope for
"official" notice this is a fp.
Title: Re: ils.dll => false positive?
Post by: JustinMP91 on December 15, 2008, 12:25:35 PM
I also received the same message...
Avast! popped up saying it had found a suspicious file, and that it was detected using heuristic methods. It was actually quite scary for me, as I go to great lengths to keep my computer safe from malware, and I don't think malware has ever actually been found on my computer in over a year lol.

I'm just going to assume that this is a false positive for now.
Title: Re: ils.dll => false positive?
Post by: Dork_Lord on December 15, 2008, 12:30:35 PM
Precisely the same thing here too, Avast says it detected ils.dll as a rootkit using a heuristic method.

Trend micro rootkit finder says nothing, and the boot time scan also finds nothing, so im guessing false positive.
Title: Re: ils.dll => false positive?
Post by: panasonic on December 15, 2008, 12:31:03 PM
i got the same warning twice :S
so what is this than??
Title: Re: ils.dll => false positive?
Post by: LoveMeNot on December 15, 2008, 12:32:46 PM
Same here. The database updated and shortly after that the warning appeared. Then found this thread on google.
Title: Re: ils.dll => false positive?
Post by: shilev on December 15, 2008, 12:34:42 PM
me too. also on 2 computers  ???
i run boot scan and zero infected files were found. I also scan ils.dll file alone and it's ok. few minutes after system restart message appeared again!  ???
could you tell me if it's something dangerous and what is false positive?

thanks!
Title: Re: ils.dll => false positive?
Post by: JonM on December 15, 2008, 12:35:30 PM
I'm getting the same thing.  Virus Total says ils.dll is clean.  Looking at the file's "properties", it looks like it's part of Microsoft's NetMeeting software.

Title: Re: ils.dll => false positive?
Post by: Artur Lopes on December 15, 2008, 12:35:46 PM
Hi guys!
I have the same MSG about ils.dll.
Thanks!
Title: Re: ils.dll => false positive?
Post by: allskin on December 15, 2008, 12:35:59 PM
Yep me too.

Thanks for this thread  ;D
Title: Re: ils.dll => false positive?
Post by: Keiko1981 on December 15, 2008, 12:37:01 PM
Same here when I started up the computer a few hours ago.
Rebooted computer and scanned. No viruses found.
Title: Re: ils.dll => false positive?
Post by: Bellzemos on December 15, 2008, 01:15:01 PM
Same here... I'm sure it's a false positive. I clicked on Ignore and everything is fine... except that the message pops up every time I scan my computer.

(http://www.shrani.si/f/3i/10G/ShYBYcw/ils.jpg)

I hope Avast team will remove this FP in the new update.
Title: Re: ils.dll => false positive?
Post by: Skolkran on December 15, 2008, 01:24:50 PM
I 'v just also got a warning from avast , it detected a virus in the ils.dll file in the windows\system32 folder. Type : Rootkit
This happened on 2 of my computers (laptop and other) at almost the same time in this morrning (December 15 th, 2008)

This problem seems to be encountered by many people all around the world and in the same time :-\. It a very strange warning message, not usual ???.

J.

Belgium
Title: Re: ils.dll => false positive?
Post by: igor on December 15, 2008, 01:41:57 PM
The fixed VPS was already released - please invoke a VPS update.
Title: Re: ils.dll => false positive?
Post by: rpgreentree on December 15, 2008, 01:59:38 PM
Thank you guys for the info.  Saved me deleting a file that didn't need deleting.
Title: Re: ils.dll => false positive?
Post by: d.werkman on December 15, 2008, 02:02:38 PM
Same problem on my pc and pc's of two friends
Title: Re: ils.dll => false positive?
Post by: Lisandro on December 15, 2008, 02:23:08 PM
Same problem on my pc and pc's of two friends

Update your virus database...
I have the problem here also. Seems that all XP SP3 is affected...
Title: Re: ils.dll => false positive?
Post by: frank_rud on December 15, 2008, 02:26:56 PM
Hi, the simple way to solve theis problem is
1. ignore (only in this case)
2. to update vps database (download or click on update with mouse)
3. reboot with scan
4. seems okay

5. later ... use for security a rootkit analyse tool like rootkit revealer or other tools



Title: Re: ils.dll => false positive?
Post by: frank_rud on December 15, 2008, 02:30:07 PM
This take effect not only on XPSp3
nor W2K Sp4, actual updates in use
Title: Re: ils.dll => false positive?
Post by: BigTel on December 15, 2008, 02:32:16 PM
The same just happened to me, I did a boot scan now nothing showing up, also used Acronis to take me back to a previous good build.   

                       
Title: Re: ils.dll => false positive?
Post by: tukso_n_march on December 15, 2008, 02:33:03 PM
GOT SAME THING TOO
Title: Re: ils.dll => false positive?
Post by: polonus on December 15, 2008, 02:39:02 PM
Hi folks,

If this is the file:
General dll file information
File Name:   ils.dll
File Size in bytes:   81920
File Size in kbytes:   80KB
Advanced dll file information
Company Name:   Microsoft Corporation
Software Product Name:   Windows® NetMeeting®
File version:   5.1.2600.2180
Description:   User Location Services Component Module
Operating System:   NT-Win32
File Type:   App

It is a FP, and then can be ignored. There are reports in from other forums too.
Should be corrected next time round, or already has with the most recent update,

polonus
Title: Re: ils.dll => false positive?
Post by: Lisandro on December 15, 2008, 02:40:25 PM
GOT SAME THING TOO
Don't need to post twice the same.
This is corrected in the last virus database, please, update it.
Title: Re: ils.dll => false positive?
Post by: Mr.Bob4u on December 15, 2008, 02:42:11 PM
I just had the same this morning!
After scanning it comes back again!
 ???
Title: Re: ils.dll => false positive?
Post by: jarrick on December 15, 2008, 02:46:41 PM
I got the same message this morning and went to have a look at the file:

it says it was created on 25/04/2008 and was modified on 14/04/2008 - not sure how it is possible to modify something before it's created - but in any case, looks like it's been there for a while and I haven't noticed anything suspicious yet.
Title: Re: ils.dll => false positive?
Post by: Lisandro on December 15, 2008, 03:35:16 PM
I just had the same this morning!
After scanning it comes back again!
 ???

Is your avast updated?
Title: Re: ils.dll => false positive?
Post by: safesite on December 15, 2008, 04:43:07 PM
I had the same issue with the ils.dll reporting in AVAST today. I deleted, sent the file to AVAST and ran a scheduled bootscan. Nothing bad found in that one.

At reboot I check for the ils.dll file in system32 and it's still there. Scan that one with AVAST and nothing comes up.

Okay, so what's the story??? Do we leave this file alone? Is it legit? Someone posted that it's bad, sending unauthorized messages in Messenger. I have blocked Messenger in ZoneAlarm and get no report from ZoneAlarm that this file is trying to access Messenger.

Some other people said that it's a false positive.

Now, what are we doing? Does it have to go or can it stay? Is it good or is it bad? Can we get a clear cut answer on this from someone who is into this and can substantiate their claim as well, possibly with links?

I'd like to know a 100% if I am safe or not.

Thnxs!
Title: Re: ils.dll => false positive?
Post by: AvastFanCS on December 15, 2008, 06:11:30 PM
I had the same message today, and ignored it.

It is a false positive indeed. That means, it has no virus at all.
The file belongs to the NetMeeting product which is part of Windows.

If you don't use NetMeeting, it doesn't matter if you kill the file. But you can keep it anyway, the ALWIL team fixed their virus database so this file isn't reported malicious in the future.

Simply update your virus database and this problem is gone....

They are doing a really good job at ALWIL.  :)
Title: Re: ils.dll => false positive?
Post by: DavidR on December 15, 2008, 07:39:14 PM
Ensure that you have the latest VPS update, 081215-1, which has corrected this detection.
Title: Re: ils.dll => false positive?
Post by: mkis on December 15, 2008, 08:22:07 PM
Same here following on from issues yesterday. I'm working with a few different computers and working updates with Windows. Im currently posting from what will be the primary port of my intended SOHO network. At the moment I can shift amongst the PCs with removable wireless plug using each as a standalone. Ran boot time scan on this PC after receiving ils.dll message during an intial scan. Then GUI mode scan next and nothing suspect comes up subsequent to initial ils.dll message. Im stepping back a bit now. I think juggling the computers and Windows and antivirus is not going to help if there is current virus threat, so need to reset my base...
Title: Re: ils.dll => false positive?
Post by: safesite on December 15, 2008, 08:30:31 PM
I had the same message today, and ignored it.

It is a false positive indeed. That means, it has no virus at all.
The file belongs to the NetMeeting product which is part of Windows.

If you don't use NetMeeting, it doesn't matter if you kill the file. But you can keep it anyway, the ALWIL team fixed their virus database so this file isn't reported malicious in the future.

Simply update your virus database and this problem is gone....

They are doing a really good job at ALWIL.  :)

Okay, so it's safe and it can stay. We say it's a false positive. Don't get the report of a virus anymore and have the latest VPS update file so I assume it's all good now.

Anyhow ALWIL do me a favor and don't repeat scaring the sh.. out of me will ya...  :o

Ta...
Title: Re: ils.dll => false positive?
Post by: con spirit sea on December 16, 2008, 06:28:59 AM
Not quite a fp. Why does microlimp need to run 'chat' software as a hidden system service? Avast is correct to show this as a warning: The OS is behaving like a virus.
Title: Re: ils.dll => false positive?
Post by: mkis on December 16, 2008, 07:31:15 AM
I think not quite so black and white. But I've messed a bit by adding my own changes after good advice "if it aint broke dont fix it". I can system restore if I want but I might play it out as I will reload the OS anyway. I've reset the security as it was for now and backed up data to removable drive. And I still have another freshly loaded PC with same issue which I havent made it back to as yet (since before I started on the webforum). Watching with interest.
Title: Re: ils.dll => false positive?
Post by: Lisandro on December 16, 2008, 11:39:26 AM
Why does microlimp need to run 'chat' software as a hidden system service?
From which application is this dll?
Title: Re: ils.dll => false positive?
Post by: Wes182 on December 16, 2008, 11:52:05 AM
hi i've already updated my VPS but i still get the warning from a fresh boot. should i just choose to ignore the file?

or the update should've fix it? but why am i still getting the warning?
Title: Re: ils.dll => false positive?
Post by: Lisandro on December 16, 2008, 11:57:52 AM
hi i've already updated my VPS but i still get the warning from a fresh boot. should i just choose to ignore the file?
Sure, ignore that file, right now a false positive.
Other users are experiencing the same and the update seems not to work ???

Until there, as a workaround, disable rootkit scanning in the Trobleshooting tab of program settings.
Title: Re: ils.dll => false positive?
Post by: Wes182 on December 16, 2008, 12:18:55 PM
but in "about avast" it shows my file version is 081215-0 and in update it says already updated to 081215-1.

is it the same to you guys?
Title: Re: ils.dll => false positive?
Post by: Lisandro on December 16, 2008, 12:21:33 PM
but in "about avast" it shows my file version is 081215-0 and in update it says already updated to 081215-1.

is it the same to you guys?
I have only -1 update both while updating (report) and the about dialog...
Try again? Boot? ???
Title: Re: ils.dll => false positive?
Post by: Wes182 on December 16, 2008, 01:22:12 PM
its -1 now did a repair on the uninstaller  ;D
Title: Re: ils.dll => false positive?
Post by: CharleyO on December 16, 2008, 08:53:15 PM
***

Information about this dll ...

http://www.filename.info/f/ils.dll.html

http://www.bang.ro/ils_dll.htm


***
Title: Re: ils.dll => false positive?
Post by: mkis on December 18, 2008, 12:53:17 AM
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123758

Title: Re: ils.dll => false positive?
Post by: mkis on December 23, 2008, 07:44:52 AM
Hi y'all. Posting back here as no longer any new issue to deal with. Seems hole in IE7 after major update 9 Dec through to Microsoft resolve Dec 17 led to incursion of exploits as I was loading web updates to operating systems. But no malware infections. Problem sorted through standard procedures. PC tune-up and protect. Things quiet since. Also, other PC with freshly loaded xp and Dcom exploit alerts fell back into normal Avast protection mode. Now updating per norm. Thorough scan today, clean system.

On weekend, did repair job for client seeming with same IE7 problem but malware infection due to messy PC. Righted PC and no problems since / as yet. Put issue down as IE7 vulnerability now resolved. Moving on. Until next time.